Skip to end of metadata
Go to start of metadata

Jump to: 

Meet Baseline Expectations 2 by December 17, 2021

InCommon Participants established the InCommon Baseline Expectations for Trust in Federation in 2018 as a means to increase trust and interoperability among InCommon federation participants and to define what they expect of each other, and of InCommon Operations.

The second iteration of Baseline Expectations (Baseline Expectations 2, or BE2) was ratified by the InCommon Steering Committee in late 2020. BE2 officially went into effect on July 19, 2021. All InCommon Participants are expected to update their registered entities to meet BE2 requirements by December 17, 2021.  

If your organization still has entities that do not meet BE2 requirements, we need to hear from you. Whether you will be ready by December 17 or need more time, please complete this Baseline Expectation 2 Acknowledgement Form to let us know.

Does my organization meet Baseline Expectations?

Visit the Baseline Expectations 2 Adherence by Organization page to see if your organization meets the requirements of Baseline Expectations 2.

Baseline Expectations 2 Progress

The BE2 Progress is updated weekly. The line graph and table below are updated every Monday using the published metadata from the prior Friday.

As of November 26, 2021:


Count

Percent of Total

BE2-adhering Organizations

643

82%

BE2-adhering IdPs

506

87%

BE2-adhering SPs

4715

86%

IdP with Error URL

530

91%

SIRTFI-compliant IdPs

511

87%

SIRTFI-compliant SPs

4720

86%

How are we doing on endpoint encryptions?

The following graphs illustrate the participants' progress toward strengthening connection endpoints. The graphs compare the data collected across five testing cycles between April 2021 and October 2021. 

The encryption test data is updated approximately monthly.

Endpoint Encryption Test Results among InCommon IdPs

Score

Apr 15, 2021

June 23, 2021

July 22,2021

Aug 26, 2021

Sept 19, 2021

Oct 30, 2021

A

186

251

323

370

380

398

B

344

259

221

181

174

157

C

10

8

6

2

2

2

F

2

27

5

2

2

1

n/a

39

37

32

27

21

25


Endpoint Encryption Test Results among InCommon SPs

Score

Apr 15, 2021

June 23, 2021

July 22,2021

Aug 26, 2021

Sept 19,2021

Oct 30, 2021

A

3263

3288

3574

3773

3823


B

1473

1220

1205

1056

1049

982

C

45

47

44

39

36

32

F

23

270

17

26

35

34

n/a

800

693

554

554

514

525

Event Calendar

November 23, 2021 - BE2 Office Hour

Tuesday, November 23, 2021
1 PM ET | Noon CT |  10 AM PT

Zoom Link: https://internet2.zoom.us/j/99430555743

Phone (US): (669) 900-6833 
                      (646) 558-8656

Meeting ID: 994 3055 5743

Key Dates

DateMilestone
December 17, 2021Deadline to meet Baseline Expectations 2 Requirements
July 19 2021Baseline Expectations 2 becomes official policy of the InCommon Federation
November 2, 2020Baseline Expectations 2 approved by InCommon Steering Committee
November 17, 2020Implementation Kick-off, CAMP/ACAMP
January '21 - March '21CTAB begin contacting non-adhering participants

Resources

Archived Content



About Baseline Expectations 2

The second set of Baseline Expectations (BE2) adds three technical requirements aimed at improving security and the user experience. Implementation of BE2 is now under way. The InCommon Federation is expected to officially transition to BE2 on July 19, 2021.

The three BE2 elements are:

  1. Each Identity Provider and Service Provider must secure its connection endpoints with current and trusted encryption (TLS).
  2. All Identity Providers and Service Providers must comply with the SIRTFI international security response framework.
  3. All Identity Providers must include an error URL in metadata.

STATEMENT: All Identity Providers (IdP) and Service Providers (SP) service endpoints must be secured with current and community-trusted transport layer encryption. 

When registering an entity (IdP or SP) in InCommon, all connection endpoints of that entity must be an https URL. The applied transport layer security protocol and associated cipher must be current and trusted by the community. 

Popular security testing software such as the Qualys SSL Lab Server test offers a convenient way to test your server against these criteria and identify weaknesses. If using the Qualys SSL Lab Server test, an overall rating of A or better is considered meeting the requirements of the InCommon Baseline Expectations.

MORE: Clarification - Encrypt Entity Service Endpoints

STATEMENT: All entities (IdP and SP) meet the requirements of the SIRTFI v1.0 trust framework when handling security incidents involving federation participants

The SIRTFI trust framework v1.0 enables standardized and timely security incident response coordination among federation participants. When signaling and responding to security incidents within the federation, entity operators shall adhere to the process defined in the Sirtfi framework.

MORE: Clarification - Entity Complies with SIRTFI v1.0

STATEMENT: All IdP metadata must include an errorURL; if the condition is appropriate, SPs should use the IdP-supplied errorURL to direct the user to proper support.

IdP entity metadata must include a valid errorURL in its IDPSSODescriptor element.

An errorURL specifies a location to direct a user for problem resolution and additional support in the event a user encounters problems accessing a service. In SAML metadata for an IdP, errorURL is an XML attribute applied to the IDPSSODescriptor element. 

When a service provider is unable to process an authentication assertion from an IdP, it may display within its error message a link to this URL to direct the user back to the IdP for additional assistance.  

MORE: Clarification - IDP Metadata Must Have an Error URL